Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Two companies owned by Hamburg-based company fuel group Marquard & Bahls are battling cyberattackers, with loading and unloading systems at the German arm of petrol tank terminal provider Oiltanking affected.

The company this afternoon confirmed to The Register that Oiltanking GmbH's terminals – which provide Shell service stations, among others – are "operating with limited capacity" and that Mabanaft GmbH had "declared force majeure for the majority of its inland supply activities in Germany."

Shell has additional providers, however, and said it had "diverted operations to other suppliers to minimise disruption."
Klikkaa laajentaaksesi...
www.theregister.com

Cyberattack hits German service station provider

Shell station logistics supplier Oiltanking 'operating with limited capacity'
www.theregister.com www.theregister.com
We have asked the firms which software and systems were affected. German newspaper Der Speigel reported that because Oiltanking's loading and unloading systems are "essentially automated", the operation of the tanker trucks that supply some of the nation's petrol stations is only possible to a "limited extent manually."

Around nine months ago, the operators of the Colonial Pipeline – which stretches 5,500 miles between Texas and New York, and can carry up to 3 million barrels of fuel per day – reportedly paid $5m to regain access to their systems after they were struck by ransomware, said to have been the work of the Darkside group.

Charles Carmakal, senior VP at cybersecurity firm Mandiant, which responded to the incident, revealed in an interview a month later that crooks had accessed Colonial Pipeline's network though an old VPN and password believed to have fallen into the wrong hands via the dark web.
Klikkaa laajentaaksesi...
 
A whistleblower has accused Pegasus spyware-maker NSO Group of offering "bags of cash" to security company Mobileum in exchange for access to cellular networks in 2017. According to reports yesterday by The Guardian and The Washington Post, former Mobileum VP Gary Miller made his allegations in a complaint to the US Department of Justice and in an interview with news organizations that are part of the Pegasus Project consortium.

Miller alleged that, during the Mobileum/NSO Group meeting, "a member of his own company's leadership at Mobileum asked what NSO believed the 'business model' was of working with Mobileum, since Mobileum did not sell access to the global signalling networks as a product," The Guardian wrote. "According to Miller, and a written disclosure he later made to federal authorities, the response allegedly made by [NSO co-founder Omri] Lavie was 'we drop bags of cash at your office.'"

NSO Group, an Israeli company that was recently blacklisted by the US government, was allegedly seeking access to the SS7 network. Mobileum's various security products include an SS7 firewall, and the company's website warns that "modestly priced access to the SS7 network is now available to hackers on a modest budget."
Klikkaa laajentaaksesi...
arstechnica.com

NSO tried to buy access to cell networks for “bags of cash,“ whistleblower says

"We drop bags of cash at your office": NSO allegedly sought access to SS7 network.
arstechnica.com arstechnica.com
 
More and more phishing kits are focusing on bypassing multi-factor authentication (MFA) methods, researchers have warned – typically by stealing authentication tokens via a man-in-the-middle (MiTM) attack.

As MFA continues to see widespread consumer and business adoption – a full 78 percent of respondents in a recent poll said they used it in 2021 – cybercriminals have devoted resources into keeping up. According to an analysis from Proofpoint, MFA-bypass phishing kits are proliferating rapidly, “ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, Social Security numbers and credit-card numbers.”
Klikkaa laajentaaksesi...
threatpost.com

Low-Detection Phishing Kits Increasingly Bypass MFA

A growing class of phishing kits – transparent reverse proxy kits – are being used to get past multi-factor authentication using MiTM tactics.
threatpost.com threatpost.com
 
The first chainable bug, CVE-2021-38452, is a file-read vulnerability that allows an unauthenticated attacker to read any file on the target operating system.

“Most of MXview’s web routes require a user to be authenticated,” according to Team82. “In most routes under the ResourceRoutes class, the sanitize-filename library is used in order to validate that the requested file does not contain malicious characters, namely path traversal characters (../).”

However, the server does not use the sanitize-filename library for one of the routes, called “/tmp.”

“This lack of validation allows a user to supply path-traversal characters that fetch arbitrary files,” according to the analysis. “Furthermore, since many passwords and configurations are saved on the disk as clear-text, a malicious user could use this unauthenticated file-read primitive to retrieve secret passwords and configurations (i.e., the password to the MQTT broker).”

Once an attacker has access to the MQTT broker, CVE-2021-38454 and CVE-2021-38458 come into play to allow RCE through command injection. The former is an improper access-control issue that allows remote connections to internal communication channels. The latter is due to improper neutralization of special elements, which enables an attacker to remotely execute unauthorized commands, disable software, or read and modify otherwise inaccessible data.
Klikkaa laajentaaksesi...
threatpost.com

Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa

A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview.
threatpost.com threatpost.com

Jos teillä on Moxan MXview webmanagement ohjelmia verkossa olkaa huolissanne.
 
Researchers on Tuesday revealed a new threat actor that over the past five years has blasted thousands of organizations with an almost endless stream of malicious messages designed to infect systems with data-stealing malware.

TA2541, as security firm Proofpoint has named the hacking group, has been active since at least 2017, when company researchers started tracking it. The group uses relatively crude tactics, techniques, and procedures, or TTPs, to target organizations in the aviation, aerospace, transportation, manufacturing, and defense industries. These TTPs include the use of malicious Google Drive links that attempt to trick targets into installing off-the-shelf trojans.
Klikkaa laajentaaksesi...
arstechnica.com

Researchers find threat group that has been active for 5 years

Why bother with state-of-the-art hacking when easier methods work just fine?
arstechnica.com arstechnica.com
 
Footage of opposition leaders calling for the assassination of Iran’s Supreme Leader ran on several of the nation’s state-run TV channels in late January after a state-sponsored cyber-attack on Iranian state broadcaster IRIB.

The incident – one of a series of politically motivated attacks in Iran that have occurred in the last year – included the use of a wiper that potentially ties it to a previous high-profile attack on Iran’s national transportation networks in July, according to researchers from Check Point Research.

However, though the earlier attacks have been attributed to Iran state-sponsored actor Indra, researchers believe a copycat actor was behind the IRIB attack based on the malware and tools used in the attack, they said in a report published Friday.

“Among the tools used in the attack, we identified malware that takes screenshots of the victims’ screens, several custom-made backdoors, and related batch scripts and configuration files used to install and configure the malicious executables,” researchers wrote in the report. “We could not find any evidence that these tools were used previously, or attribute them to a specific threat actor.”

The disruptive attack on IRIB occurred on Jan. 27, with attackers showing a savviness and knowledge of how to infiltrate systems that suggest it may also have been an inside job, researchers said.

The attack managed to bypass security systems and network segmentation, penetrate the broadcaster’s networks, and produce and run the malicious tools that relied on internal knowledge of the broadcasting software used by victims, “all while staying under the radar during the reconnaissance and initial intrusion stages,” they noted.

Indeed, nearly two weeks after the attack happened, new affiliated with opposition party MEK published a status report of the attack claiming that state-sponsored radio and TV networks still had not returned to normal, and that more than 600 servers, advanced digital production, archiving, and broadcasting of radio and television equipment have been destroyed, according to the report.
Klikkaa laajentaaksesi...
threatpost.com

Iranian State Broadcaster Clobbered by ‘Clumsy, Buggy’ Code

Researchers said a Jan. 27 attack that aired footage of opposition leaders calling for assassination of Iran’s Supreme Leader was a clumsy and unsophisticated wiper attack.
threatpost.com threatpost.com
It’s still unclear who, exactly, the perpetrators of the IRIB attack are, however. While Iranian officials believe the Iranian opposition political party MEK is behind the attack, the group itself has denied involvement, researchers said.

Further, hacktivist group Predatory Sparrow, which claimed responsibility for the previous three infrastructure attacks, also affiliated itself with the IRIB attack via its Telegram channel. However, this is unlikely, as “no technical proof of the group’s attribution to the attack has been discovered,” according to Check Point.

What is known about the threat actor, however, is that due to the relative complexity of the attack itself, the group “may have many capabilities that have yet to be explored,” researchers noted.

At the same time, their reliance on IRIB insiders may have been the secret to the attackers’ success, as the tools they used are of “relatively low quality and sophistication, and are launched by clumsy and sometimes buggy 3-line batch scripts,” according to Check Point.

“This might support the theory that the attackers might have had help from inside the IRIB, or indicate a yet unknown collaboration between different groups with different skills,” researchers noted.
Klikkaa laajentaaksesi...
In analyzing the wiper used in the attacks, researchers found “two identical .NET samples named msdskint.exe whose main purpose is to wipe the computer’s files, drives, and MBR,” they reported.

The malware also has the capability to clear Windows Event Logs, delete backups, kill processes and change users’ passwords, among other features.

To corrupt files, the wiper has three modes: default, which overwrites the first 200 bytes of each chunk of 1024 bytes with random values; light-wipe, which overwrite a number of chunks specified in the configuration; and full_purge, which does just that – overwrites the entire file content.
Klikkaa laajentaaksesi...
 
A cyber report published by intelligence agencies in the UK and US on Wednesday has attributed insidious new malware to a notorious Russia-backed hacking group.

The findings come amid concerns of potential Russian cyber-attacks against Ukraine as the threat of war in the region grows.

The joint research was published by the National Cyber Security Centre in the UK and US agencies including the National Security Agency. It warned that a Russian state-backed hacker group known as Sandworm had developed a new type of malware called Cyclops Blink, which targets firewall devices made by the manufacturer Watchguard to protect computers against hacks.
Klikkaa laajentaaksesi...
www.theguardian.com

Russia-backed hackers behind powerful new malware, UK and US say

Report comes as Ukraine faces cyber-attack and allies brace for state-sponsored hacks
www.theguardian.com www.theguardian.com

 
Cisco has warned users of its Firepower firewalls – physical and virtual – that they may need to upgrade their kit within a four-day window or miss out on security intelligence updates.

A Monday Field Notice advised that the SSL certificate authority used to sign certificates for Talos security intelligence updates will be decommissioned and replaced on March 6, 2022.

The updates deliver lists of sites identified as sources of malware, spam, botnets, and phishing to Cisco appliances, which can automatically apply them so that admins don't have to add to the always-growing list of threats manually.

But once Cisco changes to the new certificate authority, Firepower devices "might" not be able to receive Talos updates. Snort rule updates, the Cisco Vulnerability Database, and the Geolocation Database will still flow.
Klikkaa laajentaaksesi...
www.theregister.com

Cisco firewall customers warned of need for rapid updates

Firewalls are supposed to update so they block new threats – miss this deadline and they might not
www.theregister.com www.theregister.com
 
One cryptography expert said that ‘serious flaws’ in the way Samsung phones encrypt sensitive material, as revealed by academics, are ’embarrassingly bad.’
Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year’s Galaxy S21.

Researchers at Tel Aviv University found what they called “severe” cryptographic design flaws that could have let attackers siphon the devices’ hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that’s found in smartphones.

What’s more, cyber attackers could even exploit Samsung’s cryptographic missteps – since addressed in multiple CVEs – to downgrade a device’s security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.
Klikkaa laajentaaksesi...
threatpost.com

Samsung Screwed Up Encryption on 100M Phones

'Serious flaws' in the way Samsung phones encrypt sensitive material, as revealed by academics from Tel Aviv U, are 'embarrassingly bad.'
threatpost.com threatpost.com
 
The United States' Cybersecurity and Infrastructure Security Agency (CISA), working with security vendor Symantec, has found an extremely sophisticated network attack tool that can invisibly create backdoors, has been plausibly linked to Chinese actors, and may have been in use since 2013.

Symantec's threat hunting team has named the malware "Daxin" and described it as "a stealthy backdoor designed for attacks on hardened networks". The Broadcom-owned security firm says it's found samples of the malware dating back to 2013, and that features present in recent versions were also found in older cuts of the code. Those recent versions of the malware have been associated with "China-linked threat actors".

CISA's advisory about the malware describes it as "a highly sophisticated rootkit backdoor with complex, stealthy command and control functionality that enabled remote actors to communicate with secured devices not connected directly to the internet". The agency asserts that Daxin "appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions".

Symantec's analysis of the malware states it's been used as recently as November 2021 by attackers linked to the Middle Kingdom, and that whoever wields it has targeted "organizations and governments of strategic interest to China".

Wherever it comes from, Daxin is nasty.

Symantec says it ships as a Windows kernel driver and works to hijack legitimate TCP/IP connections.

"In order to do so, it monitors all incoming TCP traffic for certain patterns," Symantec's analysis states. "Whenever any of these patterns are detected, Daxin disconnects the legitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer, where two sides follow complementary steps."

Once key exchange has been conducted, Daxin opens an encrypted communication channel for receiving commands and sending responses. By hijacking connections, Daxin may evade firewall rules.
Klikkaa laajentaaksesi...
www.theregister.com

Chinese malware targeted multiple governments

'Daxin' malware creates backdoors and may have been used since 2013
www.theregister.com www.theregister.com
Daxin can also perform the following tricks:
  • Create a new communications channel across multiple infected computers, with attackers able to send a single message specifying which nodes they want to participate in this effort. The network then self-assembles and creates encrypted links between nodes and retransmits the message ordering use of each node. Symantec suggests this design was chosen to work on well-guarded networks that force periodic reconnection.
  • Encapsulate raw network packets to be transmitted via the local network adapter. Daxin then tracks network flows so that any response packets are captured and forwarded to the remote attacker. This feature means attackers can communicate with legitimate services that are reachable from the infected machine on the target's network.
  • Deploy additional stealthy comms components, one of which allows a remote attacker to communicate with selected components.
Klikkaa laajentaaksesi...
 
Last August, academic researchers discovered a potent new method for knocking sites offline: a fleet of misconfigured servers more than 100,000 strong that can amplify floods of junk data to once-unthinkable sizes. These attacks, in many cases, could result in an infinite routing loop that causes a self-perpetuating flood of traffic. Now, content-delivery network Akamai says attackers are exploiting the servers to target sites in the banking, travel, gaming, media, and web-hosting industries.

These servers—known as middleboxes—are deployed by nation-states such as China to censor restricted content and by large organizations to block sites pushing porn, gambling, and pirated downloads. The servers fail to follow transmission control protocol specifications that require a three-way handshake—comprising an SYN packet sent by the client, a SYN+ACK response from the server, followed by a confirmation ACK packet from the client—before a connection is established.

This handshake limits the TCP-based app from being abused as amplifiers because the ACK confirmation must come from the gaming company or other target rather than an attacker spoofing the target’s IP address. But given the need to handle asymmetric routing, in which the middlebox can monitor packets delivered from the client but not the final destination that’s being censored or blocked, many such servers drop the requirement by design.
Klikkaa laajentaaksesi...
arstechnica.com

DDoSers are using a potent new method to deliver attacks of unthinkable size

100,000 misconfigured servers are creating a new way to knock sites offline.
arstechnica.com arstechnica.com

otsikko on hämäävä tämä on sama "reflect attack" joku löydettiin viime vuonna, mutta käytännössä

amplification-rank-640x318.png

On Tuesday, Akamai researchers reported that day has come. Over the past week, the Akamai researchers said, they have detected multiple DDoSes that used middleboxes precisely the way the academic researchers predicted. The attacks peaked at 11Gbps and 1.5 million packets per second.

While small when compared to the biggest DDoSes, both teams of researchers expect the attacks to get larger as DDoSers begin to optimize their attacks and identify more middleboxes that can be abused (the academic researchers didn’t release that data to prevent it from being abused).

Kevin Bock, the lead researcher behind last August’s research paper, said DDoSers had plenty of incentives to reproduce the attacks his team theorized.

“Unfortunately, we weren’t surprised,” he told me upon learning of the active attacks. “We expected that it was only a matter of time until these attacks were being carried out in the wild because they are easy and highly effective. Perhaps worst of all, the attacks are new; as a result, many operators do not yet have defenses in place, which makes it that much more enticing to attackers.”
Klikkaa laajentaaksesi...
 
“As tanks rolled into Ukraine, so did malware,” summarized humanitarian author Andreas Harsono, referring to the novel malware that Microsoft has named FoxBlade.

On Monday, the company reported that its Threat Intelligence Center (MSTIC) had detected cyberattacks launched against Ukraine’s digital infrastructure hours before Russia’s tanks and missiles began to pummel the country on Thursday.

“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure,” Microsoft President and Vice-Chair Brad Smith said.
Klikkaa laajentaaksesi...
threatpost.com

Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion

Microsoft detected cyberattacks launched against Ukraine hours before Russia’s tanks and missiles began to pummel the country last week.
threatpost.com threatpost.com

mikkisofta on hoitanut asian jo ja mielenkiintoista että jättiläinen poisti cyberaseen ennenkuin se laukesi käsiin. Ollaan kuitenkin valppaina.
 
Seventeen days after Hof delivered the analysis, The Washington Post reported that the sabotage was the work of the US Cyber Command, an arm of the Department of Defense headed by the director of the National Security Agency.

As Conti members attempted to rebuild their malware infrastructure in late October, its network of infected systems suddenly mushroomed to include 428 medical facilities in the US, KrebsOnSecurity reported. The leadership decided to use the opportunity to reboot Conti’s operations by deploying its ransomware simultaneously to health care organizations that were buckling under the strain of a global pandemic.

“Fuck the clinics in the USA this week,” a Conti manager with the handle Target wrote on October 26, 2020. “There will be panic. 428 hospitals.”

Other chat logs analyzed by KrebsOnSecurity show Conti workers grumbling about low pay, long hours, grueling work routines, and bureaucratic inefficiencies.

On March 1, 2021, for instance, a low-level Conti employee named Carter reported to superiors that the bitcoin fund used to pay for VPN subscriptions, antivirus product licenses, new servers, and domain registrations was short by $1,240.

Eight months later, Carter was once again groveling.

“Hello, we’re out of bitcoins,” Carter wrote. “Four new servers, three vpn subscriptions, and 22 renewals are out. Two weeks ahead of renewals for $960 in bitcoin 0.017. Please send some bitcoins to this wallet, thanks.”
Klikkaa laajentaaksesi...
arstechnica.com

Conti cybergang gloated when leaking victims’ data. Now the tables are turned

Almost two years' worth of chat logs air the group's dirty laundry.
arstechnica.com arstechnica.com
 
An anonymous reader quotes a report from TechCrunch: When Erik Johnson couldn't get his university's mobile student ID app to reliably work, he sought to find a workaround. The app is fairly important, since it allows him and every other student at his university to pay for meals, get into events and even unlock doors to dorm rooms, labs and other facilities across campus. The app is called GET Mobile, and it's developed by CBORD, a technology company that brings access control and payment systems to hospitals and universities. But Johnson -- and the many who left the app one-star reviews in frustration -- said the app was slow and would take too long to load. There had to be a better way.

And so by analyzing the app's network data at the same time he unlocked his dorm room door, Johnson found a way to replicate the network request and unlock the door by using a one-tap Shortcut button on his iPhone. For it to work, the Shortcut has to first send his precise location along with the door unlock request or his door won't open. Johnson said as a security measure students have to be physically in proximity to unlock doors using the app, seen as a measure aimed at preventing accidental door openings across campus. It worked, but why stop there? If he could unlock a door without needing the app, what other tasks could he replicate?

Johnson didn't have to look far for help. CBORD publishes a list of commands available through its API, which can be controlled using a student's credentials, like his. But he soon found a problem: The API was not checking if a student's credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student's account without having to know their password. Johnson said the API only checked the student's unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret. Johnson described the password bug as a "master key" to his university -- at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present -- simply by sending back the approximate coordinates of the lock itself. The vulnerability was fixed and session keys were invalidated shortly after TechCrunch shared details of the bug with CBORD.
Klikkaa laajentaaksesi...
yro.slashdot.org

How a Simple Security Bug Became a University Campus 'Master Key' - Slashdot

An anonymous reader quotes a report from TechCrunch: When Erik Johnson couldn't get his university's mobile student ID app to reliably work, he sought to find a workaround. The app is fairly important, since it allows him and every other student at his university to pay for meals, get into...
yro.slashdot.org
 
Sinun täytyy kirjautua vastataksesi.
Back
Top